Trusted publishing

[tomodachi94]

Currently, if we want to publish an extension to Open VSX from a CI environment like GitHub Actions, we need to hard-code a long-lived token. Recently, there has been a push by many package repositories to move to a "trusted publishing" model, where they use OpenID Connect (OIDC) to obtain a token instead of creating and hard-coding a long-lived one.

OpenSSF has a document with more information on how this works.

This issue should be considered complete when you can publish from at least one CI/CD platform using trusted publishing¹. After this issue is closed, requests for new CI/CD platforms should probably go to a new issue.

(Please note this is different from #1494; that issue is about the CI/CD setup in this repository, while this is about publishing extensions.)

Footnotes

1. I suggest GitHub Actions and/or GitLab CI first due to their ubiquity. ↩

[tomodachi94]

Issue for the analogous feature in the official marketplace: microsoft/vsmarketplace#1422

[VijayabaskarR-06]

This issue asks Open VSX to add secure, modern CI publishing using OIDC instead of hard-coded tokens; it’s a feature request
so basically we need to

1. Add OIDC trust support to Open VSX
2. Implement token minting based on OIDC claims
3. Demonstrate publishing from one CI platform and i can work on it. Please assign me